QRadar WinCollect and Native Windows Event Collection: How to Do It Right, Filter the Noise and Simplify your Infrastructure

Webinar Registration

The WinCollect team at QRadar has done a great job supporting native Windows Event Collection (aka Windows Event Forwarding).  In this real training for free webinar, Jonathan Pechta from QRadar and I will show you how to simplify your environment for getting Windows event logs into QRadar using WEC.

WEC is great because it

  • Is zero-touch
  • No inbound connections, credentials or firewall exceptions to configure
  • No agents to install, update or monitor the health of
  • Less push back from system administrators
  • Use of WEC can save a significant amount of network bandwidth and reduce the number of log messages generated when remotely collecting Event Logs using RPC or WMI, e.g., multiple logon and logoff messages each collection interval.

At a high level, it’s just a matter of

  1. Install WinCollect Agent on Event Collector server
  2. Create a Windows Event Log, log source on QRadar tied to WinCollect Agent
  3. Check "Forwarded Events" as an option in that log source
  4. WinCollect will now send forwarded events to QRadar. These events will auto-discover as their own log sources so basically any computer that is forwarding to your computer will show up as its own log source.

I’ll also provide an overview of Windows Event Collection and how you can filter noise events at the source.

I’ll finish up by showing you how LOGbinder Supercharger automates and centralizes the management, implementation and monitoring of WEC.  I will show you both Free and Enterprise editions of Supercharger and how they help you to answer these questions

  • How to manage multiple collectors?
  • Is WEC really working?
    • Which computers are failing to forward security logs?
    • Are we missing any computers?
  • Is my WEC collector overloaded?
    • Dropping events?
    • Unresponsive?
    • Approaching capacity?
  • How do I balance the load of many event sources between multiple collectors?
  • How do you optimize Windows for dedicated Windows Event Collection?
    • TCP connection lifecycle
    • Autologger buffer settings
    • WEC batching and latency
  • How do you create custom destination logs to avoid overloading Forwarded Events?

Please join us for this specific and in-depth real training for free session.

 
First Name:   
Last Name:   
Work Email:  
Job Title:  
Organization:  
Employees:  
How long have you been using native Windows Event Collection in production?:
How many Windows servers in your organization? :
How many Windows workstations in your organization?:
 

Your information will be shared with the sponsor.


 

 

Additional Resources